passive wireless side measurement
play

Passive Wireless-side Measurement Aniket Mahanti Carey Williamson - PowerPoint PPT Presentation

Remote Analysis of a Distributed WLAN using Passive Wireless-side Measurement Aniket Mahanti Carey Williamson Martin Arlitt University of Calgary IFIP Performance 2007 1 Introduction Wireless Local Area Networks (WLANs) are commonplace


  1. Remote Analysis of a Distributed WLAN using Passive Wireless-side Measurement Aniket Mahanti Carey Williamson Martin Arlitt University of Calgary IFIP Performance 2007 1

  2. Introduction  Wireless Local Area Networks (WLANs) are commonplace in many university campuses.  Usage trends observed on a campus network often transcend many other WLAN environments, such as enterprises and public hotspots.  As WLANs grow in size, scale, and complexity, the challenges for WLAN measurement also grow.  The primary challenges for WLAN measurement include the geographic diversity of WLAN deployments, the physical proximity required for WLAN packet capture, and the need for a wireless-side view of the network. IFIP Performance 2007 2

  3. Wireless Trace Collection Methods WLAN AP Wireless PDAs Wireless Router Internet Switch DATA Wireless FRAMES sniffer Workstation Ethernet running Airopeek AP Sniffer Wireless Laptops Wired-side Measurement Wireless-side Measurement IFIP Performance 2007 3

  4. Advantages of Wireless-side Measurement  Wired-side Measurement  Wireless-side Measurement ⚫ Does not capture Control or ⚫ RFGrabbers can capture all Management frames. wireless frame types. ⚫ Wireless MAC header gets ⚫ RFGrabbers capture the complete replaced by an Ethernet MAC wireless MAC header. header. ⚫ Airopeek can provide MAC/PHY ⚫ Obtaining MAC/PHY information such as data rate, information is difficult. frame directionality, signal strength, and retransmission flags. ⚫ Supplementary information required for complete WLAN ⚫ No supplementary information analysis (e.g., SNMP polling, required. syslog). IFIP Performance 2007 4

  5. Objectives  Demonstrate the feasibility of a practical and commercially-available solution for remote passive wireless-side measurement in a large distributed production WLAN.  Present a comprehensive multi-layer analysis of our WLAN datasets, from the application layer to the wireless link layer. IFIP Performance 2007 5

  6. Network Environment AirUC is the wireless network available throughout the University of Calgary campus, provided by UCIT: ⚫ Uses 802.11 a/b/g standard. ⚫ Available to 28,000 students, and 5,000 faculty and staff. ⚫ Non-encrypted infrastructure network consisting of 476 Aruba APs (2006). ⚫ APs controlled by 6 central AP Aruba AP 70 controllers. ⚫ Uses three channel spectrum for ‘b/g’ mode (channels 1,6,11). IFIP Performance 2007 6

  7. Measurement Methodology  We collected WLAN traces using a specialized trace capture program called Airopeek, which works in conjunction with network adapters to capture wireless frames.  We used off-the-shelf adapters called RFGrabbers that can capture all 802.11 a/b/g frames at a remote location (i.e., “listen only” AP).  The RFGrabber plugs into an Ethernet LAN and sends UDP-encapsulated copies of captured frames back to Airopeek running elsewhere on the network. IFIP Performance 2007 7

  8. Wireless-side Trace Collection Medical MedSkills Business Law Library (18 APs) (6 APs) (23 APs) (14 APs) Wireless AP AP PDAs Switch Workstations RFGrabber running Airopeek Wireless File Server IT Office (9 APs) Laptops Student Food Coffee Main Court Area Library Centre (12 APs) (3 APs) (8 APs) (4 APs)  RFGrabbers were configured to scan channels 1, 6, and 11 every 500 ms to capture WLAN traffic in the `b/g’ mode.  RFGrabbers captured packets from 97 APs at 9 locations, representing 20% of the WLAN.  The RFGrabber probes see 95% – 99% of the traffic transiting a nearby AP. IFIP Performance 2007 8

  9. Trace Data Overview Trace Duration ~6 weeks (Mar 3 – Apr 14, 2006) Number of Frames ~ 1 billion 64% Management frames 36% Data frames Number of Users 6,775 (based on MAC addresses) IP Traffic Volume Incoming = 58 GB (Total = 102 GB) Outgoing = 27 GB Local (Internal) = 17 GB Avg. user sessions/day 1,481 User devices 50% of user devices had built- in wireless NICs (e.g., Intel, IBM, Mac) Operating systems 60% Windows, 12% Mac OS IFIP Performance 2007 9

  10. Multi-layer WLAN Analysis  User view  User session view ⚫ WLAN usage ⚫ Sessions per user ⚫ Usage regularity ⚫ Session duration  Application view ⚫ Session activity ⚫ Application-layer  Network view protocols ⚫ AP load ⚫ Traffic directionality  Wireless view  Mobility view ⚫ Channel usage ⚫ APs and locations visited ⚫ Error rates ⚫ Mobility pattern IFIP Performance 2007 10

  11. User View  Daily WLAN usage  Hourly WLAN usage  Usage regularity IFIP Performance 2007 11

  12. Daily WLAN Usage 1350 Total users 1200 Stationary users Mobile users 1050 Number of users 900 750 600 450 300 150 0 Mon Tue Wed Thu Fri Sat Sun Day  More users used the WLAN during the early part of the week.  On each day, about 25% of the observed users are mobile. IFIP Performance 2007 12

  13. Hourly WLAN Usage 500 Weekday User Median Weekend User Median 400 Number of users 300 200 100 0 0 4 8 12 16 20 Hour  Diurnal usage pattern is evident.  The diurnal patterns observed were quite consistent across all of the 9 locations studied.  The Main Library location differed slightly: activity persisted into the late evening, because of extended hours during the final exam period. IFIP Performance 2007 13

  14. Usage Regularity 0.35 Empirical PDF 0.30 Logarithmic Distribution Model PDF 0.25 Fraction of Users 0.20 0.15 Θ =0.94 0.10 0.05 0.00 1 5 9 13 17 21 25 29 33 37 Number of Days  Approx. 30% of users used the WLAN on only one day in trace.  Only 3 users connected on all days during the trace period. IFIP Performance 2007 14

  15. Application View  Application-layer protocols  Traffic directionality IFIP Performance 2007 15

  16. Application-layer Protocols 50 Packets Bytes 40 Percentage of total 30 20 10 0 e a k v s b P i d e / r r i t l e e o g 2 s c e i a s w h W e n P a m a M w t t c r t a O e a i e i e t h v N t l D N u c r n e M x I S E Application layer protocols We used a simple port number-based approach for traffic classification.  About 46% of user traffic bytes was from Web surfing and 15% of user  traffic was from known P2P applications. About 30% of traffic was “Others” (unknown).  By applying payload-based signature classification on a separate 1-hour  trace we found that a majority of the “Others” traffic was due to P2P. IFIP Performance 2007 16

  17. Traffic Directionality 100 Incoming Outgoing 80 Percentage of total bytes Local 60 40 20 0 Multimedia Interactive Exchange Mail/ Network Web Others P2P News Services Data Application layer protocols Analysis reveals distinctive profiles for different network applications.  Web: Users surfed off-campus Web sites more than local university sites.  Data file system: Users are primarily accessing content from UofC file servers.  P2P: Traffic balance between incoming and outgoing. Low internal P2P traffic  suggest that these applications do not exploit local network topology well, or that users have such diverse interests that local file sharing is rare. IFIP Performance 2007 17

  18. Mobility View  APs and locations visited  Mobility pattern IFIP Performance 2007 18

  19. APs and Locations Visited 0.30 60 Empirical PDF Geometric Distribution 0.25 50 Model PDF Percentage of total users Fraction of Users 0.20 40 0.15 30 p=0.27 0.10 20 0.05 10 0.00 0 1 2 3 4 5 6 7 1 5 9 13 17 21 25 29 Number of locations visited Number of APs Visited  About 54% of users were seen at only a single physical location.  About 30% of the users were seen at only one AP.  Visit behaviour differs slightly across locations, since it is influenced by the number of APs available.  Few users were highly mobile; nonetheless, the distribution does have a pronounced tail. IFIP Performance 2007 19

  20. Mobility Pattern 900 870 750 600 844 802 900 450 750 300 546 s r e 600 s 150 U 458 f o 450 r 0 e Med. Library b m Coffee Area u 300 IT Office N Student Centre Food Court 150 Law Main Library 0 Business Med. Library MedSkills Coffee Area IT Office Student Centre Food Court Law Main Library The user mobility patterns observed are influenced by geographic proximity.  For example, only 70 users from the two Medical Centre sites (2 kms away from the main campus) were observed using the WLAN at other campus locations. Many users are common between the Student Centre, Food Court, Law, and  Main Library, considered pairwise. These results reflect the popularity of these locations with users. IFIP Performance 2007 20

  21. User Session View  Sessions per user  Session duration  Session activity IFIP Performance 2007 21

Recommend


More recommend